In the space of just a few years, the Internet, because it provides access to information, and the ability to publish information, in revolutionary ways, has emerged from relative obscurity to international prominence. Whereas, in general, an internet is a network of networks, the Internet is a global collection of interconnected local, mid-level, and wide-area networks that use the Internet Protocol (IP) as the network layer protocol. Whereas the Internet embraces many local- and wide-area networks, a given local- or wide-area network may or may not form part of the Internet.
As the Internet and its underlying technologies have become increasingly familiar, attention has become focused on Internet security and computer network security in general. With unprecedented access to information has also come unprecedented opportunities to gain unauthorized access to data, change data, destroy data, make unauthorized use of computer resources, interfere with the intended use of computer resources, etc. As experience has shown, the frontier of cyberspace has its share of scofflaws, resulting in increased efforts to protect the data, resources, and reputations of those embracing intranets and the Internet.
To this end, security experts are constantly inventing new ways of enhancing computer network security. For example, it is known that the name of the application process that accesses a file can be very important in determining whether the access is likely to be ‘safe’ or ‘dangerous.’
For example, previous scanners introduced the concept of ‘Per Process Configuration’. This feature allows a virus scanner to use different scanning options depending on the process that accesses a file. For example, if a file is being opened by MS Word®, it is important to scan the file for macro viruses since MS Word® will execute the macros when it opens the file. However, if the file is being opened by a backup program, it may not be necessary to scan for macro viruses because they will not be executed.
One limitation of Windows NT® is that when a file is opened by a computer on the network, the file is opened on the local system by the operating system kernel. It is therefore impossible to distinguish between files being opened by the kernel for its own use and files being opened by the kernel on behalf of computers over the network. See, for example, the prior art operation shown in Table 1.
TABLE 11.PC1 sends message to PC2 to open\\PC2\SHARE\file.exe2.PC2 receives message. Drivers in the kerneltranslate \SHARE\file.exe to c:\shared\file.exe3.Drivers in kernel of PC2 open c:\shared\file.exe
Prior art virus scanners assign all opens by the kernel to a process called ‘System.’ The kernel opens files for its own use (these tend to be safe operations). It also opens files for remote computers (these are suspicious operations because remote computers cannot necessarily be trusted). Unfortunately, prior art virus scanners do not know the difference because they all came from the kernel (process ‘System’).
There is thus a need for overcoming these and other related security problems.